The phenomenal growth of networks poses a burden on security of network resources. Network Admission Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they attempt to access the network.
For example, European Pat. Pub. No. EP2164228 A1 includes a “Hierarchical application of security services with a computer network” whereby techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner. But, it scans the network and collects the network security snapshot which comprises association of the host with installed patches, application, etc. When that particular host creates, sends, or receives network data, tailor made pattern matching is applied for that host. For example, if it is known that only certain applications are installed on that host, then attacks related to those applications are scanned and matched. Thus, this includes scanning of entire network and applies pattern matching for applications installed on that host instead of being specific to an identified vulnerable application.
By way of another example, U.S. Pat. No. 6,816,973 includes a method and system for adaptive network security using intelligent packet analysis. The method comprises monitoring network data traffic. The network data traffic is analyzed to assess network information. A plurality of analysis tasks are prioritized based upon the network information. The analysis tasks are to be performed on the monitored network data traffic in order to identify attacks upon the network. But this creates a network map which composes information regarding different devices, OSs, services installed in the network, etc., and then uses that information to analyze the network packet. Thus, this system is fully dependent on a prior network map.
Existing NAC systems can suffer from at least one of the below mentioned deficiencies.
A periodic scan for host assessment is not run at a high enough frequency due to efficiency reasons, resulting in a possibility that a host starts violation of a policy in between scans. For example, after the host is recognized as healthy, it might change status to unhealthy and the monitor may miss this. It might even change its state back to healthy to avoid detection.
Existing NAC solutions have a tendency of removing the entire host from the network once it is found to be unhealthy. Thus, due to just one vulnerable process, all network traffic of a host may be blocked, which can have a practical impact on overall productivity. This behavior also can be used to initiate a denial of a service attack on that host.
Existing NAC solutions may be dependent on a prior network map which makes them stringent.
Existing NAC solutions may apply pattern matching for a plurality of applications installed on that host instead of being specific to identified vulnerable applications which makes them more time consuming and costly.
There is a need for an improved NAC that can operate in an efficient, controlled, and secure manner.